| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
| Cc: | pgsql-hackers(at)postgresql(dot)org, Joe Conway <mail(at)joeconway(dot)com>, Martin Pihlak <martin(dot)pihlak(at)gmail(dot)com> |
| Subject: | Re: dblink vs SQL/MED - security and implementation details |
| Date: | 2009-01-06 18:31:10 |
| Message-ID: | 9169.1231266670@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> On Tuesday 06 January 2009 19:50:51 Tom Lane wrote:
>> What about the permissions on the system catalogs themselves?
>> AFAICT, the pg_user_mappings view will expose user passwords to
>> the "owner" of the foreign server, which doesn't seem good.
> Well, no one is forcing you to put a password there. dblink has had its
> mechanisms for obtaining passwords until now, and those are not invalidated
> by this. There are as always limited use cases for hardcoding passwords, but
> in a fully multiuser environment you probably want to use a different
> authentication mechanism. Eventually, when we allow these modules to
> actually call out, we will have to seriously evaluate that. But for right
> now, if you don't want your password in there, don't put it there.
Huh? The advertised reason for putting in all this stuff was to provide
a thought-through, secure mechanism for dealing with connection
information. If we haven't done that thinking yet, I'm of the opinion
the whole thing should be ripped out until we have. It's of exactly
zero value if it cannot be trusted with a password.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2009-01-06 18:38:42 | Re: version() output vs. 32/64 bits |
| Previous Message | Peter Eisentraut | 2009-01-06 18:25:14 | Re: dblink vs SQL/MED - security and implementation details |